---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-aggregating-proxy-http
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "aggregating-proxy")) | nindent 2 }}
rules:
  - apiGroups: ["apps"]
    resources: ["deployments/http"]
    resourceNames: ["aggregating-proxy"]
    verbs: ["get", "create", "update", "patch", "delete"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-aggregating-proxy-http
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "aggregating-proxy")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-to-aggregating-proxy-http
subjects:
  - kind: Group
    name: ingress-nginx:auth
  - kind: Group
    name: prometheus:auth
  - kind: ServiceAccount
    name: prometheus
    namespace: d8-monitoring
{{- if (.Values.global.enabledModules | has "upmeter") }}
  - kind: ServiceAccount
    name: upmeter-agent
    namespace: d8-upmeter
{{- end }}
{{- if (.Values.global.enabledModules | has "prometheus-metrics-adapter") }}
  - kind: ServiceAccount
    name: prometheus-metrics-adapter
    namespace: d8-monitoring
{{- end }}
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
  name: access-to-aggregating-proxy-prometheus-metrics
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "aggregating-proxy")) | nindent 2 }}
rules:
  - apiGroups: ["apps"]
    resources: ["deployments/prometheus-metrics"]
    resourceNames: ["aggregating-proxy"]
    verbs: ["get"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
  name: access-to-aggregating-proxy-prometheus-metrics
  namespace: d8-monitoring
  {{- include "helm_lib_module_labels" (list . (dict "app" "aggregating-proxy")) | nindent 2 }}
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: access-to-aggregating-proxy-prometheus-metrics
subjects:
  - kind: User
    name: d8-monitoring:scraper
  - kind: ServiceAccount
    name: prometheus
    namespace: d8-monitoring
